forked from anchore/syft
/
registry.go
84 lines (73 loc) · 3.12 KB
/
registry.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
package options
import (
"os"
"github.com/anchore/clio"
"github.com/anchore/stereoscope/pkg/image"
)
type RegistryCredentials struct {
Authority string `yaml:"authority" json:"authority" mapstructure:"authority"`
// IMPORTANT: do not show any credential information, use secret type to automatically redact the values
Username secret `yaml:"username" json:"username" mapstructure:"username"`
Password secret `yaml:"password" json:"password" mapstructure:"password"`
Token secret `yaml:"token" json:"token" mapstructure:"token"`
TLSCert string `yaml:"tls-cert,omitempty" json:"tls-cert,omitempty" mapstructure:"tls-cert"`
TLSKey string `yaml:"tls-key,omitempty" json:"tls-key,omitempty" mapstructure:"tls-key"`
}
type registryConfig struct {
InsecureSkipTLSVerify bool `yaml:"insecure-skip-tls-verify" json:"insecure-skip-tls-verify" mapstructure:"insecure-skip-tls-verify"`
InsecureUseHTTP bool `yaml:"insecure-use-http" json:"insecure-use-http" mapstructure:"insecure-use-http"`
Auth []RegistryCredentials `yaml:"auth" json:"auth" mapstructure:"auth"`
CACert string `yaml:"ca-cert" json:"ca-cert" mapstructure:"ca-cert"`
}
var _ clio.PostLoader = (*registryConfig)(nil)
func (cfg *registryConfig) PostLoad() error {
// there may be additional credentials provided by env var that should be appended to the set of credentials
authority, username, password, token, tlsCert, tlsKey :=
os.Getenv("SYFT_REGISTRY_AUTH_AUTHORITY"),
os.Getenv("SYFT_REGISTRY_AUTH_USERNAME"),
os.Getenv("SYFT_REGISTRY_AUTH_PASSWORD"),
os.Getenv("SYFT_REGISTRY_AUTH_TOKEN"),
os.Getenv("SYFT_REGISTRY_AUTH_TLS_CERT"),
os.Getenv("SYFT_REGISTRY_AUTH_TLS_KEY")
if hasNonEmptyCredentials(username, password, token, tlsCert, tlsKey) {
// note: we prepend the credentials such that the environment variables take precedence over on-disk configuration.
// since this PostLoad is called before the PostLoad on the Auth credentials list,
// all appropriate redactions will be added
cfg.Auth = append([]RegistryCredentials{
{
Authority: authority,
Username: secret(username),
Password: secret(password),
Token: secret(token),
TLSCert: tlsCert,
TLSKey: tlsKey,
},
}, cfg.Auth...)
}
return nil
}
func hasNonEmptyCredentials(username, password, token, tlsCert, tlsKey string) bool {
hasUserPass := username != "" && password != ""
hasToken := token != ""
hasTLSMaterial := tlsCert != "" && tlsKey != ""
return hasUserPass || hasToken || hasTLSMaterial
}
func (cfg *registryConfig) ToOptions() *image.RegistryOptions {
var auth = make([]image.RegistryCredentials, len(cfg.Auth))
for i, a := range cfg.Auth {
auth[i] = image.RegistryCredentials{
Authority: a.Authority,
Username: a.Username.String(),
Password: a.Password.String(),
Token: a.Token.String(),
ClientCert: a.TLSCert,
ClientKey: a.TLSKey,
}
}
return &image.RegistryOptions{
InsecureSkipTLSVerify: cfg.InsecureSkipTLSVerify,
InsecureUseHTTP: cfg.InsecureUseHTTP,
Credentials: auth,
CAFileOrDir: cfg.CACert,
}
}